Newly Released ECCouncil 312-50v13 Exam PDF

The attackers described are most consistent with black hat hackers because their actions are clearly unauthorized, intentionally harmful, and motivated by financial gain. They compromise a financial institution, deploy credential-stealing malware, exfiltrate customer account data, and then sell the stolen information on underground forums. This aligns with criminal hacking behavior: monetizing access and stolen data through illicit marketplaces, fraud, and repeated targeting of similar victims.

The scenario explicitly rules out ideologically motivated activity: “no political or social statements are made.” That makes hacktivists unlikely, since hacktivism typically involves a political, social, or ideological motive and often seeks publicity for a cause (defacements, leaks, DDoS protests). It also rules out ethical categories: white hat hackers operate with authorization and report findings to improve security rather than steal and sell credentials. Script kiddies are generally low-skill attackers who rely on existing tools and scripts; while they can cause harm, the scenario highlights sustained targeting, credential theft, and underground monetization—behavior more strongly associated with organized cybercriminals/black hats.

Black hats typically pursue objectives like theft of credentials, financial fraud, ransomware deployment, and sale of access or data. Their operations often emphasize anonymity, operational security, and repeatability across many similar targets—consistent with “continuing to target similar organizations for financial gain.”

Therefore, the most likely category is A. Black Hat hackers.

CEH’s social engineering principles highlight psychological manipulation techniques such as authority, urgency, trust exploitation, and impersonation. In this scenario, the attacker leverages “perceived authority,” a powerful influence tactic where the social engineer poses as someone with legitimate power or sanctioned access—such as a technician, auditor, or vendor representative. CEH emphasizes that referencing real employee names, using technical terminology, and impersonating trusted third-party partners increases believability and reduces verification resistance. The receptionist’s acceptance of the attacker’s presence without verifying credentials matches classical authority-based exploitation. Leaked credentials, physical security logs, and network segmentation issues do not relate to human-layer social engineering. The situation clearly reflects the manipulation of trust and authority as described in CEH’s psychological attack vectors.

The system described is a Network-Based Intrusion Detection System because it is positioned near the perimeter firewall and inspects traffic flowing across the network segment rather than activity on a single endpoint. In CEH-aligned coverage, a NIDS is deployed at strategic network points such as behind a firewall, on core switches, or on SPAN or TAP links to monitor inbound and outbound packets. Its purpose is to detect suspicious patterns, signatures, protocol anomalies, and indicators of scanning or exploitation attempts across multiple hosts and an entire subnet. The question explicitly says it “analyzes incoming and outgoing traffic” and looks for patterns “across the entire subnet,” which matches NIDS scope and placement.

A Host-Based IDS, by contrast, runs on individual servers or workstations and monitors local events such as system calls, logs, file integrity, registry changes, and local network connections for that specific host. That does not match the perimeter-positioned, subnet-wide traffic analysis described. Host-based firewalls also operate per endpoint, enforcing rules for that machine only, and do not provide centralized subnet-wide packet inspection from a perimeter vantage point. A network-based firewall primarily enforces allow or deny policy and may perform stateful filtering, but it is not primarily described as a detection tool analyzing suspicious patterns; IDS is the detection-focused control.

Therefore, Olivia is attempting to bypass a Network-Based Intrusion Detection System to demonstrate how malicious traffic might evade monitoring controls placed near the firewall and to help the security team strengthen detection coverage and alerting.

Jordan is in the vulnerability scanning step because he has already moved past identification/cataloging (information gathering) and is now actively testing IoT devices for weaknesses such as outdated firmware, default credentials, and exposed/open service ports. In IoT hacking methodology, information gathering focuses on discovering devices, mapping the environment, identifying device types, interfaces, protocols, and versions, and understanding how data flows between endpoints, gateways, mobile apps, and cloud services. Once that baseline inventory exists, the next step is to assess the devices and their ecosystem components for known and observable security gaps.

The specific checks described are classic vulnerability scanning targets in IoT environments:

Outdated firmware can indicate known vulnerabilities, missing security fixes, and unpatched components.

Default passwords are a common IoT weakness and can enable trivial compromise when not changed.

Open service ports reveal exposed management interfaces or unnecessary services that can be enumerated or exploited.

Running “specialized tools” to systematically evaluate these elements is consistent with vulnerability scanning because it is structured assessment aimed at finding exploitable conditions, but it stops short of actually exploiting or establishing persistence.

Why the other options do not fit:

Information gathering (C) would focus on identifying devices and collecting details, not actively checking them for outdated firmware/default passwords/open ports as vulnerabilities.

Gain remote access (B) implies exploitation or obtaining unauthorized control/access, which the scenario does not indicate—he is checking and assessing.

Launch attacks (D) implies executing exploitation, disruption, or compromise steps. The question explicitly frames this as testing for weaknesses, not carrying out attacks.

Therefore, Jordan is performing A. Vulnerability scanning.